Tell Google LogIn how to correctly authenticate the user, say, with Google LogIn ?

I haven't figured this out yet, so please help LogIn understand how the LogIn process should work LogIn .

It turns out, when I make a login using Google, I send a request, Google confirms it and returns a response with a specific user, I take this user’s id , mail, name and send it to the server. The server confirms this user and returns all data on it ...

But, what will happen if someone stole the user's mail, name and id and sent it to the server, and received the data, it turns out not good ...

If I understood correctly, then I need to get Token from Google, send it to the server too, when the server receives it, it will also go to Google and check that or not that token, and then everything will work as it should.

But how to get Token in this case?

Tell me, how am I in the right direction?

How should the authentication process go with the server?

EDIT

When authentication passes through Google, when you click on the button, Google gives you access to using your api .. But this has nothing to do with authentication on my server ...

It turns out I get authentication on Google and it is not clear how to properly associate it with autinfication on my server?

EDIT 2.0

 public void initGoogleLogIn() { GoogleSignInOptions gso = getGoogleSignInOptions(); mGoogleApiClient = getGoogleApiClient(gso); SignInButton btnSignIn = (SignInButton) authorizationActivity.findViewById(R.id.btn_sign_in); btnSignIn.setOnClickListener(listener); } @NonNull private GoogleSignInOptions getGoogleSignInOptions() { return new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN) .requestIdToken(context.getResources().getString(R.string.server_id)) .requestEmail() .build(); } @NonNull private GoogleApiClient getGoogleApiClient(GoogleSignInOptions gso) { return new GoogleApiClient.Builder(context) .enableAutoManage(authorizationActivity, listenerConnection) .addApi(Auth.GOOGLE_SIGN_IN_API, gso) .build(); } @Override public void onActivityResult(int requestCode, int resultCode, Intent data) { super.onActivityResult(requestCode, resultCode, data); // facebook FacebookImplementation.getCallbackManager() .onActivityResult(requestCode, resultCode, data); // google if (requestCode == States.GOOGLE_SIGNIN) { GoogleSignInResult result = Auth.GoogleSignInApi.getSignInResultFromIntent(data); handleSignInResult(result); } } private void handleSignInResult(GoogleSignInResult result) { Logger.log(ActivityAuthorization.class, ""+ result.getStatus().toString(), Logger.ERROR); if (result.isSuccess()) { Logger.log(GoogleImplementation.class, "User is connecting by Google LogIn", Logger.ERROR); // Signed in successfully, show authenticated UI. }else { Logger.log(GoogleImplementation.class, "!!!!!!!!!!!!", Logger.ERROR); } }

    2 answers 2

    In the application you connect Google for authorization. User data needs to be received, as far as I know, from the Google Plus API, which is a repository of user data.

    1. the user presses the "log in" button, the windows are flashed (logging in Google, issuing permissions) and he returns to the application.
    2. The application receives user and access_token data from either.
    3. transfer access_token to your server. No user data is received from the server and transferred to the server is not required, they can not be trusted.
    4. using access_token, on the server you get the necessary user data from Google and perform the necessary actions for authorization / registration, and then respond to the application.

    It is possible that the access_token received in the application cannot be used from the server (from another ip). As a rule, this is solved by adding a certain parameter to the authorization request.

    Getting access_token is approximately as follows:

     accessToken = GoogleAuthUtil.getToken( getApplicationContext(), mPlusClient.getAccountName(), "oauth2:" + Scopes.PLUS_LOGIN + " " + Scopes.PLUS_PROFILE+" https://www.googleapis.com/auth/plus.profile.emails.read");

    Here are some good code examples for getting a token: https://stackoverflow.com/questions/23759529/android-how-to-get-google-plus-access-token

    • By the way interesting, I did not pay attention the first time. It turns out if I understood correctly, it’s not the client who receives his data from Google and sends it to the server for confirmation, but it turns out that everything the client has to send to the server is a token, and already on this token the server will receive everything and send it back to the client right? - Aleksey Timoshchenko
    • @AlekseyTimoshchenko if under the client you mean the application - then yes, that's right. More precisely, the application can receive both user data and a token from Google services. But we don’t need user data in this case, as the server cannot trust them. But did not understand about the "send back to the client"? Why from the server back to the client to send user data? You need to authorize on the server, or I misunderstood something? - Ivan Pshenitsyn
    • Yes, all right, you need to authorize, but here is an example, I open the application, make a login with Google and go through authorization, but where the application should take, let's say my profile photo, name, etc. (to display in the side menu as an example)? After checking the token, should the server send back or, on the client side, get it from the Google account? - Aleksey Timoshchenko
    • @AlekseyTimoshchenko as you prefer. If you have a user system, stored on the server and have avatars - obviously, you should send the server all the information about the user. If you do not store anything about the user on the server, you can also directly from the social network. - Ivan Pshenitsyn
    • But can you explain I can not understand how to get the time of the action of the token id? So I get the token when registering via Google, but there is no method by which you can get the time of its operation ... - Aleksey Timoshchenko

    In your case, there is no way without a token

    First read this article.

    And then take a look at the Google OAuth 2.0 sandbox

    You will understand a lot right away.

    For a detailed study I recommend reading the document OAuth 2.0 technical standard.

    • Thank! It really became clearer ... But now the question has arisen, maybe you know how to answer? When authentication passes through Google, when you click on the Google button, it provides access to using your api .. But this is not related to authentication on my server ... It turns out I get authentication on Google and it’s not clear how to connect it correctly to authentification my server? - Aleksey Timoshchenko
    • developers.google.com/identity/sign-in/web - Dmitry Petukhov
    • And can you please explain according to the article the link to which is indicated in your answer, so it is written that you need to get an expiry this token to go ... But I can't figure out how to get this time of action? So I get the token when registering via Google, but there is no method by which you can get an action time ... - Aleksey Timoshchenko
    • @AlekseyTimoshchenko after exchanging the authorization code for tokens using the google example ( googleapis.com/oauth2/v4/token ), if the response is successful, a JSON array similar to this will come in { "access_token":"1/fFAGRNJru1FTz70BzhT3Zg", "expires_in":3920, "token_type":"Bearer" } where the expires_in parameter is the access token's access time. Carefully review the developers.google.com/identity/protocols/… - Dmitry Petukhov
    • If I understand everything correctly, then the data on the lifetime of the token and refresh token should be received on the server and sent back to the client ... tokenId client send only the tokenId to the server and that's it? - Aleksey Timoshchenko